Having read two great posts on OpenSSH best practices, I decided today that I wanted to upgrade my SSH key architecture to use Elliptical Curve Cryptography. There were several gotchas involved that I thought it would be worth sharing here. There are, at the time of writing, no packages for Fedora 15 or Debian stable that I could find, so I've worked from source.
Getting ECC working on some systems can be a bit of a pain. Fedora, in particular, has decided, due to patent encumbrance, to remove the header include files for OpenSSL's ECC implementation. To get around this, I therefore recommend reinstalling OpenSSL from source from their site. You will be able to tell whether your distro will have this problem because, in the ./configure output of OpenSSH you will encounter:
checking whether OpenSSL has complete ECC support... no
An easy way to check is to look for the presence of /usr/include/openssl/ecdsa.h
So, once you've got the latest and greatest OpenSSL installed, download the latest OpenSSH portable tar.gz. Then, you'll want to run the following.
On Fedora 15 (after installing OpenSSL from source; last command in this list needs to be root):
tar -xzf openssh-5.8p2.tar.gz
cd openssh-5.8p2
./configure --with-selinux --bindir=/usr/bin --sbindir=/usr/sbin --with-ssl-dir=/usr/local/ssl/
make
make install
On Debian/Ubuntu (not necessary to install OpenSSL from source):
tar -xzf openssh-5.8p2.tar.gz
cd openssh-5.8p2
./configure --bindir=/usr/bin --sbindir=/usr/sbin
make
sudo make install
You can then use the setup as expected.
ssh-keygen -t ecdsa -b 521
ssh-copy-id -i ~/.ssh/id_ecdsa.pub user@server.tld
Featured image by Koen Photos under a CC-BY-ND license.